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Introduction 


The Citizens Advice service provides free, independent, confidential and impartial 
advice to everyone on their rights and responsibilities. It values diversity, promotes 
equality and challenges discrimination. Since 1 April 2014, Citizens Advice service 
took on the powers of Consumer Futures to become the statutory representative 
for energy consumers across Great Britain. 


The service aims: 


e To provide the advice people need for the problems they face 
e Toimprove the policies and practices that affect people’s lives. 


The Citizens Advice service is a network of nearly 400 independent advice centres 
that provide free, impartial advice from more than 3,500 locations in England and 
Wales, including GPs’ surgeries, hospitals, community centres, county courts and 
magistrates courts, and mobile services both in rural areas and to serve particular 
dispersed groups. In 2012/13 the Citizens Advice service in England and Wales 
advised 2.3 million people on 6.6 million problems. 


Since April 2012 we have also operated the Citizens Advice Consumer Service, 
formerly run as Consumer Direct by the OFT. This telephone helpline covers Great 
Britain and provides free, confidential and impartial advice on all consumer issues. 


In the last four quarters Citizens Advice Bureaux have dealt with 84,000 enquiries 
about fuel debt, while hits to the energy section of our website doubled in October 
and November, the period during which suppliers announced their price increases 
last year. Calls to the Citizens Advice Consumer Helpline seeking advice about 
energy doubled in the same period. 


Response 


Question: Do you agree that the full review of the smart metering 
Data Access and Privacy Framework should be concluded in 2018 
rather than 2016? Please explain your rationale. 


In principle Citizens Advice does not take issue with the delay of the full review of 
the data access and privacy and framework, particularly in light of the delays in the 
launch of DCC services and subsequent delays to the rollout as a whole. 


However in light of this proposed delay the “continuous monitoring and review” 
process outlined in section 3 of the consultation document will become all the 
more important to ensure that the principles of the Data Access and Privacy 
Framework are upheld as smart meters are installed in consumer homes across 
Great Britain. There remain several outstanding areas of concern regarding the 
handling of consumer data as part of the smart meter rollout. It will be imperative 
that a delay to the review not delay action on these areas. The main issues of 
concern to Citizens Advice are outlined below: 


Protecting consumer transparency and control: 


Citizens Advice and predecessor body Consumer Futures has undertaken extensive 
work with consumers regarding data privacy both generally and with specific 
reference to smart meters and energy data. While consumers frequently have 
varying attitudes to what data they choose to share a common thread across 
demographics is that consumers want control and transparency. They want to be 
able to find out who is accessing or able to access their data, what data, how often 
it is accessed and they want to be able to control this. Recent work examining what 
consumers need, want and expect from smart metering data communications 
materials has emphasised the importance of these requirements' 


Other countries have seen the rollout of smart meters significantly delayed and 
even halted due to consumer concerns regarding the privacy and security of new 
meters which have the capability to collect and store significantly more data about 
consumers and their homes. These concerns are equally present among 
consumers in Great Britain and will need to be adequately addressed if 
government and industry expect consumers to accept and benefit from smart 
metering. 


'http://www.consumerfutures.org.uk/files/2014/01/Smart-and-clear.pdf 


Smart meter data is generated by consumers and in addition to being personal is 
also potentially very valuable. Consumers are increasingly becoming aware of the 
value of their data. As such if suppliers or other parties wish to make use of any 
data beyond what is necessary to provide an accurate bill (i.e. a monthly meter 
read) they will have to offer benefits to their customers that reflect this value. It is 
up to suppliers to make the case to consumers that they will see an active benefit 
from sharing more data. Alongside this it will also be vital that suppliers only 
request access data that is required to provide the services they are offering. 


Consumers are currently afforded some protection and control via the opt-ins and 
outs outlined in section 2.5 of the consultation document, however we have 
recently heard some energy suppliers and networks arguing for additional, more 
detailed data, or a watering-down of the agreed consumer choices regarding their 
data. This risks undermining confidence in the rollout. We cannot state strongly 
enough the importance of a firm foundation for data privacy and protection, the 
consumer opt-ins and outs were formulated to help ensure this and many 
consumers have agreed to have smart meters installed on the basis that they have 
this level of control. Seeking to alter these requirements after meters have been 
installed on the basis of these protections would be unacceptable. These options 
also provide consumers with some leverage to ensure that the benefits smart data 
can provide reach them and are not absorbed by suppliers or networks as 
suppliers will have to offer something in return for consumers sharing more 
detailed data. 


It should also be borne in mind that under the Data Protection Act, as little data as 
possible should be accessed and collected to complete the task at hand, that data 
collected for one purpose should not be used for another and that the act may be 
strengthened or ammended in the near future. 


The DCC and Consumer Consent: 


Concerns remain around the security and privacy of smart metering particularly 
regarding how the Data Communications Company (DCC) is proposed to function. 
As it stands there are robust processes in place by which the DCC must ensure that 
its users (Suppliers and potentially a wide range of third party services) are who 
they claim to be but there is no process by which it then verifies that these users 
have the permission of consumers to access their data. The only proposed means 
of preventing abuse is an auditing process for DCC users, this would only catch 
poor behaviour or data handling after the fact. Even a single incident in which a 
DCC user collects data they do not have permission to access either maliciously or 
in error will risk undermining faith in the smart metering programme. Measures 
taken against a DCC user after the fact would not undo the damage as the user 
would still have the data. Government, energy suppliers and the DCC need to 
address this issue immediately. 


We would also expect a stronger sense of the potential penalties for such a breach 
to be laid out in the near future, particularly as, on a practical level, it seems 


unlikely that any of the larger energy suppliers would be removed entirely from the 
DCC or the SEC even in the event of a significant breach given how integral the DCC 
is to Great Britain’s current smart meter infrastructure, particularly regarding 
consumer experience with switching and services. 


Elsewhere in government the midata programme, which currently deals with far 
less detailed energy data than the DCC will has identified the need to ensure 
consumer consent is adequately authenticated, current proposals are to make use 
of security tokens and other verification methods to ensure such an incident 
cannot occur. Options such as these should be examined as potential solutions to 
this gap in security and privacy protection. 


The CAD 


One element of the consumer data experience not specifically referenced in the 
consultation document that warrants mention is the Consumer Access Device 
(CAD), section 2.5 of the consultation document states: 


2.5 Consumers will be able to share their energy consumption data easily with 
third parties, such as switching sites and energy services companies, if they 
choose to do so. Before third parties access energy consumption data remotely 
via the DCC, they are required to obtain explicit (opt-in) consent from consumers. 


The CAD will allow consumers to access and, should they wise share, their detailed 
near real-time usage data directly via their Home Area Network (HAN) without need 
for this data to be sent via the DCC. Along with the DCC the CAD has a role to play 
in avoiding the risk that suppliers become the gatekeepers to a consumer's data, 
enabling consumers to share their data on their terms with other service providers 
who may offer a wide range of services including but not limited to: tariff 
comparison and switching , energy advice, remote healthcare and home security 
systems. 


The CAD also provides an opportunity for the growing independent market of 
Home Energy Management Systems (HEMS). Consumers should not be ‘locked in’ to 
using only services provided by their energy supplier or need to go via their energy 
Supplier to access and control their own data. 


A Data Dashboard 


Citizens Advice will shortly be launching a piece of work to generate a 
proof-of-concept for a smart meter “data dashboard” which would allow consumers 
to see who is accessing their data, how often and in what detail as well as allowing 
them to query access and, where appropriate, stop it. Such a service would need to 
be impartial, consistent and not charge the consumer for its service. While 
organisations are expected to regularly inform their customers of what data they 
are collecting this should not be the sole means by which consumers can access 
this information or make decisions about it. 


A significant concern with how the DCC is currently planned to operate is that it has 
no consumer facing role. This raises several issues: 


e A lack of transparency for consumers to see who is accessing their data - 
they will have to rely on contacting organisations they believe are accessing 
their data directly, a clearly flawed process as they may not know who to 
contact and, in many cases, may not trust the DCC user to inform them what 
they are not collecting 

e A lack of control for consumers - they will not be able to request that the 
DCC not provide their data to DCC users but will instead have to approach 
the organisation directly. Again issues of knowing who to approach and 
trusting that consumer requests are acted upon are significant 


An independent data dashboard would help mitigate both of these issues by 
providing consumers with all the information in one place. It’s important to note 
that the dashboard would not resolve the issue raised earlier in this response 
regarding the DCC’s lack of any means to confirm that a DCC user has gained 
consumer permission before collecting data. 


